Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISAKMP and SAs

I just want to clarify something.

When Phase 1 & 2 IKE complete should I expect to see an ISAKMP SA on each end point?

For instance when I do "sh crypto isakmp sa" on each PIX should there be one regardless of which initiated the connection?

It looks this way but the life times are slightly different.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ISAKMP and SAs

Yes you should. If you cant see the SA, clear the isakmp session and establish it again and see if it reappears

6 REPLIES
Gold

Re: ISAKMP and SAs

You are right

but command sh crypto isakmp sa is only about 1phase of IPSEC - in main mode you have 5 states with "sh crypto isakmp sa" command:

MM_NO_STATE,MM_SA_SETUP,MM_KEY_EXCH,MM_KEY_AUTH

and when is 1phase of Ipsec is esthablised QM_IDLE

more info you can find:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_r1g.htm#wp1074075

2nd phase of IPSEC you can check with command "show crypto ipsec sa"

HTH

M.

Rate helpful post

New Member

Re: ISAKMP and SAs

Thanks for feedback.

Just to clarify, when I do:

sh crypto isakmp sa - should I see an SA on each peer with state QM_IDLE?

Obvisouly I see a "show crypto ipsec sa" on each.

I

Gold

Re: ISAKMP and SAs

Yes if you see somethig different than QM_IDLE it means 1 phase of IPSEC is not successfully esthablisde

New Member

Re: ISAKMP and SAs

OK, but i have an active tunnel but I don't see the QM_IDLE but if I do "sh ipsec sa" the tunnel is there and I can ping over it etc.

I'm guessing the tunnel came up from the other end, but should I see the QM_IDLE under the "sh isakmp sa".

Silver

Re: ISAKMP and SAs

Yes you should. If you cant see the SA, clear the isakmp session and establish it again and see if it reappears

New Member

Re: ISAKMP and SAs

I think I may have resolved it. One tunnel is to a PIX and one to Netscreen. I have SA of 24hrs.

I have noticed dead peer detection is enabled for the PIX connection (D) but not netsreen. For some reason the tunnel remains up but the sh ISAKMP sa disappers after a certain time.

I'm putting this down to the dead peer detection support on cisco.

182
Views
3
Helpful
6
Replies